CN101877834B - Secret key notification and decryption method and device in GBA (Generic Bootstrapping Architecture) Push - Google Patents

Secret key notification and decryption method and device in GBA (Generic Bootstrapping Architecture) Push Download PDF

Info

Publication number
CN101877834B
CN101877834B CN200910137951.2A CN200910137951A CN101877834B CN 101877834 B CN101877834 B CN 101877834B CN 200910137951 A CN200910137951 A CN 200910137951A CN 101877834 B CN101877834 B CN 101877834B
Authority
CN
China
Prior art keywords
key
naf
external
internal
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200910137951.2A
Other languages
Chinese (zh)
Other versions
CN101877834A (en
Inventor
许怡娴
张丽佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200910137951.2A priority Critical patent/CN101877834B/en
Publication of CN101877834A publication Critical patent/CN101877834A/en
Application granted granted Critical
Publication of CN101877834B publication Critical patent/CN101877834B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides secret key notification and decryption method and device in generic bootstrapping architecture push (GBA Push). The secret key notification method comprises the steps of: encrypting push information to be pushed to user equipment (UE) respectively by using a first secret key and a second secret key so as to generate two encrypted push information; and sending the two encrypted push information and corresponding secret key type information thereof to the UE. Therefore, the problem that the UE cannot decrypt the push information during GBA Push due to the inconsistency between the secret key type pushed by a server and a secret key type supported by the UE is solved.

Description

Key notification among the GBA Push, the method for deciphering and device
Technical field
The present invention relates to the communications field, is that a kind of general bootstrapping framework pushes the key notification in (GBA Push), method and the device of deciphering concretely.
Background technology
In third generation wireless communication standard, the GBA technology is that of multiple applied business entity use is used for finishing the generic structure that user identity is verified, generates simultaneously to share key, to using a kind of technology of communicating by letter and protecting.GBA push is a kind of technology when being used for satisfying network application server and initiatively initiating to use to the user.
GBA push can be divided into based on the GBA push of GBA mobile device (GBA_ME) with based on the GBA push of GBA card (GBA_U).Wherein, subscriber equipment (User Equipment, UE) comprise mobile device (Mobile Equipment, ME) and Universal Integrated Circuit Card (Universal Integrated CircuitCard, UICC).
Under the situation based on the GBA push of GBA_U, generate two keys, namely UICC directly calculates two key: Ks_int_NAF, Ks_ext_NAF after generating Ks.UICC stores Ks_int_NAF, and Ks_ext_NAF is sent to ME, is stored by ME.Hence one can see that needs to carry out the key selection under the GBA_U situation.Network application function (Network Application Function, NAF) in the push message of UE transmission, contain key indication ID (Key Indication ID) parameter, this parameter is used for indicating the Key Tpe that should use to UE under the GBA_U situation, as: Ks_ext_NAF or Ks_int_NAF.
UE needs HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) client to bring in the execution applied business.Under the GBA_U situation, the Key Tpe that UE supports depends on the position that client exists, if client in ME, UE need use external key (Ks_ext_NAF) that the information that receives is decrypted; If client is in UICC, UE need use internal key (Ks_int_NAF) that the information that receives is decrypted.
The present inventor is in realizing process of the present invention, find that prior art comprises following problem at least: under the situation based on the GBA Push of GBA_U, network application function server (Network Application Function, NAF) can't obtain the information of UE, the parameter of the indication Key Tpe in the push message that sends to UE may contradict with the Key Tpe that UE supports, for example: NAF uses Ks_int_NAF to be decrypted to the UE indication, but client is in ME, UE can only use Ks_ext_NAF to be decrypted, thereby causes UE can't decipher the problem of pushed information.
Summary of the invention
The object of the present invention is to provide key notification method and device among a kind of GBA Push, the Key Tpe that the Key Tpe of indication UE and UE support when being used for solving prior art server push carry information is inconsistent, thereby causes UE can't decipher the problem of pushed information.
In order to solve above-mentioned the problems of the prior art, the embodiment of the invention provides the key notification method among a kind of general bootstrapping framework propelling movement GBA Push, this method comprises: the pushed information of using first key and the second key subtend user equipment (UE) to push respectively is encrypted, and generates the pushed information of two encryptions; Pushed information and the corresponding Key Tpe information thereof of two encryptions are sent to UE.
The embodiment of the invention also provides the decryption method among a kind of GBA Push, this method comprises: the pushed information of two encryptions that reception server pushes and corresponding Key Tpe information thereof, wherein, the pushed information of two encryptions is encrypted generation by the pushed information that server uses first key and the second key subtend UE to push respectively; If the 3rd key and Key Tpe information in the discrete cell of the UE at client place do not match, and then generate the 4th key according to the 3rd key, and utilize the 4th key that the pushed information with corresponding secret key type information is decrypted.
The embodiment of the invention also provides the decryption method among a kind of GBA Push, this method comprises: the pushed information of two encryptions that reception server pushes and corresponding Key Tpe information thereof, wherein, the pushed information of two encryptions is encrypted generation by the pushed information that server uses internal key and external key subtend UE to push respectively; If the discrete cell of the UE at client place is the ME of UE, then utilize the external key of ME storage that the pushed information with corresponding secret key type information is decrypted; If the discrete cell of the UE at client place is the UICC of UE, then utilize the internal key of UICC storage that the pushed information with corresponding secret key type information is decrypted.
The embodiment of the invention also provides the decryption method among a kind of GBA Push, and this method comprises: the pushed information of the encryption that reception server pushes and corresponding Key Tpe information thereof; If being arranged in the 3rd key and the Key Tpe information of first discrete cell and this first discrete cell, client do not match, then: send the order request second discrete cell download client by first discrete cell to second discrete cell, utilize the 4th key that pushed information is decrypted by second discrete cell again; Perhaps, first discrete cell is obtained the 4th key from second discrete cell, uses the 4th key that PUSH message is decrypted.
The embodiment of the invention also provides a kind of UE, comprising: receiving element: the pushed information and the corresponding Key Tpe information thereof that are used for an encryption of reception server propelling movement; Judging unit: whether the 3rd key and Key Tpe information for first discrete cell of judging the client place mate; Decrypting device: be used for when the judged result of judging unit when not matching, to second discrete cell transmission order request, the second discrete cell download client, so that second discrete cell utilizes the 4th key that pushed information is decrypted; Perhaps, be used for obtaining the 4th key from second discrete cell, use the 4th key that PUSH message is decrypted.
The embodiment of the invention also provides a kind of server, and this server comprises: ciphering unit, and the pushed information of using first key and the second key subtend UE to push respectively is encrypted, and generates the pushed information of two encryptions; Transmitting element sends to UE with two through pushed information and the employed Key Tpe information of each pushed information of encrypting.
The embodiment of the invention also provides a kind of UE, and this UE comprises: receiving element is used for two pushed information and corresponding Key Tpe information that reception server sends; First discrete cell, be used for working as client under the situation of first discrete cell, if the 3rd key of this first discrete cell and Key Tpe information do not match, then generate the 4th key according to the 3rd key, and utilize the 4th key that the pushed information with corresponding secret key type information is decrypted.
The embodiment of the invention also provides the key notification method among a kind of GBA Push, and when GBA push, UE receives pushed information; Judge whether the Key Tpe in the described pushed information conforms to the Key Tpe that UE supports; If do not conform to then UE returns the information that this UE supports Key Tpe that carries to NAF.
The embodiment of the invention also provides the key notification method among a kind of GBA Push, and this method comprises: when GBA push, to UE pushed information and Key Tpe information; Receive the information that carries this UE support Key Tpe that UE returns; Information according to UE support Key Tpe regenerates the pushed information and the Key Tpe information that meet UE, pushes to UE.
The embodiment of the invention also provides a kind of UE, and this UE comprises: receiving element is used for receiving pushed information when GBA push; Matching unit is used for judging whether the Key Tpe of this UE support and the Key Tpe of described pushed information conform to; Feedback unit is used for returning the information that carries this UE support Key Tpe to server when Key Tpe that described matching unit is judged the pushed information that described UE receives does not conform to the Key Tpe of UE support.
The embodiment of the invention also provides a kind of server, and this server comprises: transmitting element is used for when GBA push, to UE pushed information and Key Tpe information; Receiving element is used for receiving the information that carries this UE support Key Tpe that UE returns; Ciphering unit is used for the information according to UE support Key Tpe, regenerates the pushed information and the Key Tpe information that meet UE, and sends pushed information and the Key Tpe information of UE to transmitting element, thereby push to UE.
The embodiment of the invention also provides key notification method among a kind of GBA Push, and this method comprises: communicate in the process at BSF and UE, obtain the Key Tpe information that UE supports, and store; The Key Tpe information notification network application function NAF that BSF supports UE is so that the Key Tpe that NAF can utilize UE to support when carrying out GBA Push is encrypted pushed information.
The embodiment of the invention also provides a kind of BSF, comprising: acquiring unit, be used for communicating process at BSF and UE, and obtain the Key Tpe information that UE supports, and store; Transmitting element is used for the Key Tpe information notification network application function NAF with the UE support, so that the Key Tpe that NAF can utilize UE to support when carrying out GBA Push is encrypted pushed information.
The beneficial effect of the embodiment of the invention is, can solve in the prior art problem that the Key Tpe of server push and UE are supported when GBA Push the inconsistent UE that causes of Key Tpe can't decipher pushed information.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, does not constitute limitation of the invention.In the accompanying drawings:
Figure 1 shows that the first embodiment flow chart of the key notification method of server of the present invention in GBA Push;
Fig. 2 a is depicted as the decryption method first embodiment flow chart among the GBA Push of the present invention;
Fig. 2 b is depicted as the decryption method second embodiment flow chart among the GBA Push of the present invention;
Figure 3 shows that the first example structure figure of server provided by the invention;
Figure 4 shows that the UE first example structure figure provided by the invention;
Figure 5 shows that the signal flow graph of inconsistent method first embodiment of Key Tpe among the solution GBA Push provided by the invention;
Figure 6 shows that the signal flow graph of inconsistent method second embodiment of Key Tpe among the solution GBA Push provided by the invention;
Figure 7 shows that the signal flow graph of inconsistent method the 3rd embodiment of Key Tpe among the solution GBA Push provided by the invention;
Figure 8 shows that the signal flow graph of inconsistent method the 4th embodiment of Key Tpe among the solution GBA Push provided by the invention;
Figure 9 shows that the signal flow graph of inconsistent method the 5th embodiment of Key Tpe among the solution GBA Push provided by the invention;
Figure 10 shows that the 3rd embodiment flow chart of the decryption method among the GBA Push of the present invention;
Figure 11 shows that the second example structure figure of UE of the present invention;
Figure 12 shows that server provided by the invention notifies the second embodiment flow chart of encryption key method in GBA Push;
Figure 13 shows that the second example structure figure of server of the present invention;
Figure 14 shows that the signal flow graph of inconsistent method the 6th embodiment of Key Tpe among the solution GBA Push provided by the invention;
Figure 15 shows that inconsistent method the 3rd embodiment flow chart of Key Tpe among the solution GBA Push provided by the invention;
Figure 16 shows that the signal flow graph of inconsistent method the 7th embodiment of Key Tpe among the solution GBA Push provided by the invention;
Figure 17 shows that decryption method the 4th embodiment flow chart among the GBA Push of the present invention;
Figure 18 shows that the 3rd example structure schematic diagram of a kind of UE of the embodiment of the invention;
Figure 19 shows that BSF example structure figure of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with execution mode and accompanying drawing, the present invention is described in further details.At this, exemplary embodiment of the present invention and explanation thereof are used for explanation the present invention, but not as a limitation of the invention.
The embodiment of the invention provides key notification method and the device among a kind of GBA Push.The present invention is described in detail below in conjunction with accompanying drawing.
Be illustrated in figure 1 as the first embodiment flow chart of the key notification method of server of the present invention in general bootstrapping framework propelling movement GBA Push.
Step 101, the pushed information of using first key and the second key subtend UE to push respectively is encrypted, and generates the pushed information of two encryptions.
First key comprises internal key or external key; Second key comprises and the corresponding internal structure key of internal key, perhaps with the corresponding external structure key of external key.
Step 102 sends to UE with the pushed information of two encryptions and corresponding Key Tpe information thereof.
As one embodiment of the present of invention, before step 101, also comprise, obtain BSF and calculate internal key and external key, and the corresponding internal structure key of internal key, the corresponding external structure key of external key.
In step 101, utilize internal key and corresponding internal structure key thereof that pushed information is encrypted respectively; Perhaps, utilize external key and corresponding external structure key thereof that pushed information is encrypted respectively;
And sign Key Tpe information in pushed information respectively.
As one embodiment of the present of invention, obtain the internal structure key that BSF utilizes external key and specific character string to generate; Obtain the external structure key that BSF utilizes internal key and specific character string to generate.
As one embodiment of the present of invention, specific character string can preestablish or generate at random.
As one embodiment of the present of invention, specific character string is pushed to UE.
As one embodiment of the present of invention, before step 101, also comprise, obtain internal key and external key that BSF calculates.
In step 101, NAF utilizes internal key and external key that pushed information is encrypted respectively, and identifies Key Tpe information respectively in pushed information.
By above-described embodiment, server sends two pushed information of using different secret key encryptions to UE, can make UE obtain the pushed information that can decipher under the situation that does not receive UE message.
Be depicted as the decryption method first embodiment flow chart among the GBA Push of the present invention as Fig. 2 a.
Two pushed information and corresponding Key Tpe information that step 201, reception server send, wherein, the pushed information of two encryptions is encrypted generation by the pushed information that server uses first key and the second key subtend UE to push respectively.
Step 202, if client when the UE discrete cell, the 3rd key and the Key Tpe information of this discrete cell do not match, and then generate the 4th key according to the 3rd key, and utilize the 4th key that the pushed information with corresponding secret key type information is decrypted.
As one embodiment of the present of invention, client comprises that in the UE discrete cell client is positioned at the ME of UE, perhaps is positioned at the UICC of UE.
As one embodiment of the present of invention, discrete cell generates the 4th key according to the 3rd key and comprises, utilizes external key and specific character string to generate the internal structure key; Utilize internal key and specific character string to generate the external structure key.
As one embodiment of the present of invention, specific character string can preestablish or NAF pushes this specific character string to UE.
As one embodiment of the present of invention, discrete cell is the ME of UE, accordingly, the 3rd key is external key, generating the 4th key according to the 3rd key specifically comprises: the 4th key is the internal structure key, the internal structure key generates the internal structure key according to external key and specific character string, and wherein the internal structure key is the 4th key;
Perhaps, discrete cell is the UICC of UE, accordingly, the 3rd key is internal key, generating the 4th key according to the 3rd key specifically comprises: the 4th key is the external structure key, the external structure key generates the external structure key according to internal key and specific character string, and wherein the external structure key is the 4th key;
Wherein, the specific character string that specific character string preestablishes or reception server pushes.
By above-described embodiment, UE can call suitable key according to the Key Tpe information that receives pushed information is decrypted.
Be depicted as the decryption method second embodiment flow chart among the GBA Push of the present invention as Fig. 2 b.
Step 201 ', the pushed information of two encryptions that reception server pushes and corresponding Key Tpe information thereof, wherein, the pushed information of two encryptions is encrypted generation by the pushed information that server uses internal key and external key subtend UE to push respectively;
Step 202 ', if the discrete cell of the UE at client place is the ME of UE, then utilize the external key of ME storage that the pushed information with corresponding secret key type information is decrypted;
Step 203 ', if the discrete cell of the UE at client place is the UICC of UE, then utilize the internal key of UICC storage that the pushed information with corresponding secret key type information is decrypted.
By above-described embodiment, UE can call suitable key according to the Key Tpe information that receives pushed information is decrypted.
Be illustrated in figure 3 as the first example structure figure of server provided by the invention.
Comprise ciphering unit 301, transmitting element 302.
Ciphering unit 301, the pushed information that is used for using first key and the second key subtend UE to push respectively is encrypted.
Transmitting element 302 sends to UE with two through pushed information and the employed Key Tpe information of each pushed information of encrypting.
As embodiments of the invention, also comprise computing unit, be used for calculating internal key and external key, and the corresponding internal structure key of internal key, the corresponding external structure key of external key; Ciphering unit 301 utilizes the internal key of computing unit output and corresponding internal structure key thereof that pushed information is encrypted respectively; Perhaps, utilize external key and corresponding external structure key thereof that pushed information is encrypted respectively; Perhaps utilize internal key and external key that pushed information is encrypted respectively.
By above-described embodiment, server sends two pushed information of using different secret key encryptions to UE, can make UE obtain the pushed information that can decipher under the situation that does not receive UE message.
Be illustrated in figure 4 as the UE first example structure figure of the present invention.
Comprise receiving element 401, the first discrete cells 402.
Receiving element 401 is used for two pushed information and corresponding Key Tpe information that reception server sends.
First discrete cell 402, if client is when first discrete cell, the 3rd key and the Key Tpe information of this first discrete cell do not match, and then generate the 4th key according to the 3rd key, and utilize the 4th key that the pushed information with corresponding secret key type information is decrypted.
As one embodiment of the present of invention, when first discrete cell 402 was the UICC card, the 3rd key was internal key, and the 4th key is the external structure key; When first discrete cell 402 was ME, the 3rd key was external key, and the 4th key is the internal structure key.
As one embodiment of the present of invention, ME utilizes external key and specific character string to generate the internal structure key; The UICC Cali generates the external structure key with internal key and specific character string.
By above-described embodiment, UE can call suitable key according to the Key Tpe information in the PUSH message that receives pushed information is decrypted.
Be illustrated in figure 5 as the signal flow graph of inconsistent method first embodiment of Key Tpe among the solution GBA Push provided by the invention.
Step 501 is calculated internal key (Ks_int_NAF), external key (Ks_ext_NAF) at BSF, and the internal structure key (Ks_int ' _ NAF), the external structure key (Ks_ext ' _ NAF), and send above-mentioned key to NAF.
Wherein:
Ks_int’_NAF=KDF(Ks_ext_NAF,“int”,RAND,IMPI,NAF_Id)
Ks_ext’_NAF=KDF(Ks_int_NAF,“ext”,RAND,IMPI,NAF_Id)
Wherein KDF is the key generating function; " int ", " ext " are specific character string, can be by generating at random or preestablishing; RAND is random number; IMPI is user's identity information, is internal key among the Ks_int_NAF, is stored on the UICC card, and Ks_ext_NAF is external key, is stored on the ME; NAF_Id is the identity information of NAF.
Step 502, NAF utilizes internal key and internal structure key that the information that will push is encrypted, and perhaps utilizes external key and external structure key that the information that will push is encrypted, and identifies Key Tpe information in the information that pushes.In this example, utilize internal key and internal structure key that the information that will push is encrypted.
Key Tpe information comprises: employed Key Tpe, and for example original cipher key is still constructed key, and with Key Type (1 bit long) expression, as Key Type=0, original cipher key is used in expression, and as Key Type=1, the structure key is used in expression.
Wherein original cipher key comprises internal key, external key, and the structure key comprises internal structure key, external structure key.
Key Tpe information also comprises: what indication was used is internal key (internal structure key) or the sign position of external key (external structure key), represent with Key Indication ID (1 bit), as Key Indication ID=0, the client on the expression NAF indication UE need be used Ks_int_NAF (perhaps Ks_int ' _ NAF) be decrypted; As Key Indication ID=1, the client on the NAF indication UE need be used Ks_ext_NAF (perhaps Ks_ext ' _ NAF) be decrypted.
In this example, the Key Type=0 that carries in the pushed information of using internal key to be encrypted, Key Indication ID=0; The KeyType=1 that carries in the pushed information of using the internal structure key to be encrypted, Key Indication ID=0.
Step 503, NAF is with two pushed information through encrypting, be two pushed information through encrypting in this example, wherein one is utilized internal key to be encrypted, and what carry that the Key Tpe of this pushed information of indication uses is that the internal key of original cipher key is encrypted; Another utilizes the internal structure key to be encrypted, and what carry that the Key Tpe of this pushed information of indication uses is the encryption that the internal structure key carries out.
Step 504, if client on the UICC card, then UE supports the Key Tpe Ks_int_NAF of NAF indication and can use the Ks_int_NAF deciphering to contain the PUSH message of parameter K ey Type=0.
Step 505, if client on ME, then UE does not support the Key Tpe Ks_int_NAF of NAF indication, so:
When ME had computing capability, ME calculated structure key K s_int ' _ NAF according to the Ks_ext_NAF of storage, used Ks_int ' _ NAF deciphering to contain the PUSH message of parameter K ey Type=1 then;
When ME does not have when computing capability is arranged, ME sends to UICC with Ks_ext_NAF, calculate structure key K s_int ' _ NAF by UICC, again Ks_int ' _ NAF is sent to ME, use Ks_int ' _ NAF deciphering to contain the PUSH message of parameter K ey Type=1 then.
Wherein, Ks_int ' _ NAF=KDF (Ks_ext_NAF, " int ", RAND, IMPI, NAF_Id), character string " int " can preestablish (also preestablishing this character string at BSF) at UE, also can be pushed to UE in the general bootstrapping framework pushed information (GPI) of NAF and UE, this GPI pushes and carried out before above-mentioned propelling movement enciphered message usually.
Be illustrated in figure 6 as the signal flow graph of inconsistent method second embodiment of Key Tpe among the solution GBA Push provided by the invention.
Present embodiment is similar substantially to the embodiment among last Fig. 5, therefore only describes and a last embodiment difference in the present embodiment, and something in common repeats no more.
In step 602, NAF utilizes external key and external structure key that the information that will push is encrypted, and identifies Key Tpe information in the information that pushes.
In this example, the Key Type=0 that carries in the pushed information of using external key to be encrypted, Key Indication ID=1; The KeyType=1 that carries in the pushed information of using the external structure key to be encrypted, Key Indication ID=1.
In the step 603, will send to UE through two pushed information of encrypting.
In the step 604, if client on ME, then UE supports the Key Tpe Ks_ext_NAF of NAF indication, and ME can use the Ks_ext_NAF deciphering to contain the PUSH message of parameter K ey Type=0.
In the step 605, if client is on the UICC card, then UE does not support the Key Tpe Ks_ext_NAF of NAF indication, the UICC card calculates structure key K s_ext ' _ NAF according to the Ks_int_NAF that is stored in the UICC card, and uses Ks_ext ' _ NAF deciphering to contain the PUSH message of parameter K ey Type=1.
Wherein, Ks_ext ' _ NAF=KDF (Ks_int_NAF, " ext ", RAND, IMPI, NAF_Id).
Be illustrated in figure 7 as the signal flow graph of inconsistent method the 3rd embodiment of Key Tpe among the solution GBA Push provided by the invention.
Step 701 is calculated internal key (Ks_int_NAF), external key (Ks_ext_NAF) at BSF, and sends above-mentioned key to NAF.
Step 702, NAF utilizes internal key and external key that the information that will push is encrypted, and identifies Key Tpe information in the information that pushes, the Key Indication ID=0 that carries in the pushed information of using internal key to be encrypted; The KeyIndication ID=1 that carries in the pushed information of using external key to be encrypted.
Step 703, NAF is with two pushed information through encrypting, be two pushed information through encrypting in this example, wherein one is utilized internal key to be encrypted, and what carry that the Key Tpe of this pushed information of indication uses is that the internal key of original cipher key is encrypted; Another utilizes external key to be encrypted, and what carry that the Key Tpe of this pushed information of indication uses is the encryption that the external key of original cipher key carries out.
Step 704, if client on ME, then ME can use the Ks_ext_NAF deciphering of storage to contain the PUSH message of parameter K ey Indication ID=1.
Step 705, if client on the UICC card, the UICC card uses the Ks_int_NAF deciphering be stored among the UICC to contain the PUSH message of parameter K ey Indication ID=0.
Be illustrated in figure 8 as the signal flow graph of inconsistent method the 4th embodiment of Key Tpe among the solution GBA Push provided by the invention.
Step 801, NAF as of the prior art, an information after push encrypting to UE, and carry corresponding Key Tpe information.Be the pushed information after utilizing external key to be encrypted in this example.
Step 802, after UE receives this pushed information, if client on ME, then ME can use the Ks_ext_NAF deciphering PUSH message of storage.
Step 803, if client on the UICC card, then the UICC card sends order request ME download client to ME, utilizes the pushed information of Ks_ext_NAF of ME to be decrypted at ME; Or the Ks_ext_NAF key of storing among the UICC card request acquisition ME, and use Ks_ext_NAF deciphering PUSH message.
By present embodiment, server end can not made change, only changes accordingly at the UE end to get final product, and further saves cost.
Be illustrated in figure 9 as the signal flow graph of inconsistent method the 5th embodiment of Key Tpe among the solution GBA Push provided by the invention.
Step 901, NAF as of the prior art, an information after push encrypting to UE, and carry corresponding Key Tpe information.Be the pushed information after utilizing internal key to be encrypted in this example.
Step 902, after UE receives this pushed information, if client on the UICC card, then the UICC card can use the key K s_int_NAF deciphering PUSH message of storage.
Step 903, if client on ME, then ME sends order request UICC card download client to the UICC card, the pushed information of Ks_int_NAF in the UICC Cali with the UICC card is decrypted; Or the Ks_int_NAF key of storing in the request acquisition UICC card, and use Ks_int_NAF deciphering PUSH message.
Be the 3rd embodiment flow chart of the decryption method among the GBA Push of the present invention as shown in figure 10.
Step 1001 when GBA push, receives pushed information.
Step 1002, UE judges whether the Key Tpe in the pushed information conforms to the Key Tpe of UE support.
Step 1003 is not if conform to then UE returns the information that this UE supports Key Tpe that carries to NAF.
As one embodiment of the present of invention, UE returns in the information that carries this UE support Key Tpe to server, and UE is by writing the Key Tpe information that UE supports in user agent (User Agent) territory of HTTP request message.
By present embodiment, UE can be to server feedback Key Tpe correct information whether, thereby server can be adjusted the information that pushes according to feedback information.
As shown in figure 11 for the second example structure figure of UE of the present invention.
Comprise receiving element 1101, be used for when GBA push, receiving pushed information, send described pushed information to matching unit 1102.
Matching unit 1102 obtains the pushed information that described receiving element 1101 receives, and is used for judging whether the Key Tpe of pushed information conforms to the Key Tpe that UE supports.
Feedback unit 1103 receives the judged result of matching unit 1102, if do not conform to then return the information that this UE supports Key Tpe that carries to server.
In GBA Push, notify the second embodiment flow chart of encryption key method as shown in figure 12 for server of the present invention.
Step 1201, when GBA push, NAF is to UE pushed information and Key Tpe information.
Step 1202, NAF receives the information that carries this UE support Key Tpe that UE returns.
Step 1203, the information according to UE support Key Tpe regenerates the pushed information and the Key Tpe information that meet UE, pushes to UE.
By present embodiment, server can dynamically be adjusted pushed information, thereby solve the problem that the inconsistent UE that causes of Key Tpe can't decipher PUSH message in GBA push process according to its Key Tpe information of supporting of UE feedback.
As shown in figure 13 for the second example structure figure of server of the present invention.
Comprise transmitting element 1301, be used for when GBA push, to UE pushed information and Key Tpe information.
Receiving element 1302 is used for receiving the information that carries this UE support Key Tpe that UE returns.
Ciphering unit 1303 is used for supporting according to UE the information of Key Tpe, regenerates the pushed information and the Key Tpe information that meet UE, and sends the pushed information of UE and Key Tpe information to transmitting element 1301 and push to UE.
Be the signal flow graph of inconsistent method the 6th embodiment of Key Tpe among the solution GBA Push provided by the invention as shown in figure 14.
Step 1401, NAF is to the UE pushed information, and indication Key Tpe information.
Step 1402, if the Key Tpe of NAF indication does not conform to the Key Tpe that UE supports, then UE returns the Key Tpe information that this UE supports by the HTTP request to NAF.
Step 1403, if NAF can not receive the Key Tpe (usually because security consideration) that UE supports, then NAF sends error message to UE, finishes communication.
Step 1404, if NAF can accept the Key Tpe that UE supports, then NAF uses the Key Tpe of UE feedback to encrypt pushed information, and is pushed to UE.
Step 1405, UE uses corresponding secret key decryption PUSH message.
Be the 3rd embodiment flow chart of the inconsistent method of Key Tpe among the solution GBA Push provided by the invention as shown in figure 15.
Step 1501 communicates in the process at BSF and UE, obtains the Key Tpe information that UE supports, and stores.
Step 1502, the Key Tpe information notification network application function NAF that BSF supports UE is so that the Key Tpe that NAF can utilize UE to support when carrying out GBA Push is encrypted pushed information.
As one embodiment of the present of invention, BSF obtains Key Tpe information and the preservation that UE supports.
As one embodiment of the present of invention, NAF obtains the type information that UE supports key from BSF, and NAF utilizes key that pushed information is encrypted.
Pass through present embodiment, server can be stored the Key Tpe information that different UEs is supported in advance, and when pushing, the key that can directly adopt UE to support is encrypted, thereby when UE receives the Key Tpe of pushed information and server indication, can decipher accurately.
Be the signal flow graph of inconsistent method the 7th embodiment of Key Tpe among the solution GBA Push provided by the invention as shown in figure 16.
Comprise step 1601, when UE and NAF communicate, set up Transport Layer Security (TLS) tunnel, UE contains the positional information of client on UE by sending the access that HTTP asks to obtain a certain service to NAF in the HTTP request." User Agent " territory comprises fixed character string " 3gpp-gba " (based on the application of ME, namely client is on ME) or " 3gpp-gba-uicc " (based on the application of UICC card, namely client is on UICC card) in the http header of HTTP request.
Step 1602, NAF comprises parameter 3gpp-gba or 3gpp-gba-uicc in authentication request (Authentication Request) message of BSF transmission, this parameter is used for to the position that BSF indication UE client exists (3gpp-gba indication client is at ME, and 3gpp-gba-uicc indication client is on the UICC card).
Step 1603 after BSF receives Authentication Request message, generates outside Ks_ext_NAF, the Ks_int_NAF, has also stored the position of the client existence of this UE.
Step 1604, in the time of need carrying out pushed information, BSF comprises parameters such as Ks_ext_NAF or Ks_int_NAF according to the position of UE client stores to the NAF transmission.
Step 1605, NAF utilizes key that PUSH message is encrypted, and will indicate the employed Key Tpe message identification of UE in pushed information, pushes to UE.
Be decryption method the 4th embodiment flow chart among the GBA Push of the present invention as shown in figure 17.
Step 1701, the pushed information of the encryption that reception server pushes and corresponding Key Tpe information thereof;
Step 1702 does not match if client is arranged in the 3rd key and the Key Tpe information of first discrete cell and this first discrete cell, then:
Send the order request second discrete cell download client by first discrete cell to second discrete cell, utilize the 4th key that pushed information is decrypted by second discrete cell again;
Perhaps, first discrete cell is obtained the 4th key from second discrete cell, uses the 4th key that PUSH message is decrypted.
As an implementation column of the present invention, first discrete cell is the ME of UE, and second discrete cell is the Universal Integrated Circuit Card UICC of UE, and corresponding, the 3rd key is external key, and the 4th key is internal key;
Perhaps first discrete cell is the Universal Integrated Circuit Card UICC of UE, and second discrete cell is the ME of UE, and corresponding, the 3rd key is internal key, and the 4th key is external key.
By present embodiment, UE by allow another the discrete cell download client or obtain the key of another discrete cell, the pushed information of encrypting is decrypted, thereby does not need computation key, reduce amount of calculation.
Be the 3rd example structure schematic diagram of a kind of UE of the embodiment of the invention as shown in figure 18.
Comprise receiving element 1801, be used for pushed information and the corresponding Key Tpe information thereof of an encryption of reception server propelling movement.
Whether judging unit 1802 mates for the 3rd key and the Key Tpe information of first discrete cell of judging the client place;
Decrypting device 1803, be used for when the judged result of judging unit when not matching, to second discrete cell transmission order request, the second discrete cell download client, so that second discrete cell utilizes the 4th key that pushed information is decrypted; Perhaps, be used for obtaining the 4th key from second discrete cell, use the 4th key that PUSH message is decrypted.
First discrete cell can be the ME of UE, and the 3rd key is external key, and second discrete cell can be the UICC of UE, and the 4th key is internal key; Perhaps first discrete cell is the UICC of UE, and the 3rd key is internal key, and second discrete cell can be the ME of UE, and the 4th key is external key.
Be BSF example structure figure of the present invention as shown in figure 19.
Comprise acquiring unit 1901, be used for communicating process at BSF and UE, obtain the Key Tpe information that UE supports, and store;
Transmitting element 1902 is used for the Key Tpe information notification network application function NAF with the UE support, so that the Key Tpe that NAF can utilize UE to support when carrying out GBA Push is encrypted pushed information.
By above-described embodiment, by receiving the Key Tpe of supporting that UE returns, can in ciphering process, select suitable key to be encrypted, avoid the Key Tpe of UE when being decrypted not match and the deciphering that takes place is failed.
Embodiment of the invention beneficial effect is, sends two pushed information of using different secret key encryptions by server to UE, can make UE obtain the pushed information that can decipher under the situation that does not receive UE message; UE can call suitable key according to the Key Tpe information that receives pushed information is decrypted; UE can be to server feedback Key Tpe correct information whether, thereby server can be adjusted the information that pushes according to feedback information; Server can dynamically be adjusted pushed information according to its Key Tpe information of supporting of UE feedback, thereby has solved the problem that in the GBA push process inconsistent UE that causes of Key Tpe can't decipher pushed information; Server can be stored the Key Tpe information that different UEs is supported in advance, when pushing, the key that can directly adopt UE to support is encrypted, thereby when UE receives the Key Tpe of pushed information and server indication, can decipher accurately; UE by allow another the discrete cell download client or obtain the key of another discrete cell, do not need computation key just can the pushed information of encrypting to be decrypted, reduce amount of calculation.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode of software with the general hardware platform of necessity, based on such understanding, technical scheme of the present invention can embody with the form of software product, this software product can be stored in the non-volatile memory medium, as CD-ROM, USB flash disk, portable hard drive etc., comprise that some instructions usefulness are so that a computer equipment, as personal computer, receiving terminal or the network equipment etc., the method for each embodiment of execution the present invention.
The invention described above embodiment sequence number does not represent the quality of embodiment just to description.
Above embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; it below only is the specific embodiment of the present invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (9)

1. a general bootstrapping framework pushes the key notification method among the GBA Push, it is characterized in that this method comprises:
The pushed information of using first key and the second key subtend user equipment (UE) to push respectively is encrypted, and generates the pushed information of two encryptions;
Pushed information and the corresponding Key Tpe information thereof of described two encryptions are sent to described UE;
Wherein, described first key and second key are internal key Ks_int_NAF and external key Ks_ext_NAF, perhaps being that internal key Ks_int_NAF and BSF utilize described external key Ks_ext_NAF and specific character string to generate the internal structure key, perhaps is that external key Ks_ext_NAF and BSF utilize described internal key Ks_int_NAF and specific character string to generate the external structure key;
If the 3rd key in the discrete cell of the UE at client place and described Key Tpe information do not match, and then generate the 4th key according to described the 3rd key, and utilize described the 4th key that the pushed information with corresponding secret key type information is decrypted;
Described the 3rd key and the 4th key are external key Ks_ext_NAF and the internal structure key that generates according to external key Ks_ext_NAF and specific character string, perhaps be internal key Ks_int_NAF and according to the external structure key of internal key Ks_int_NAF and specific character string generation.
2. method according to claim 1 is characterized in that,
Before the described pushed information of using first key and the second key subtend user equipment (UE) to push respectively is encrypted, also comprise:
Obtain internal key Ks_int_NAF, external key Ks_ext_NAF, the corresponding internal structure key of described internal key Ks_int_NAF and the corresponding external structure key of described external key Ks_ext_NAF that bootstrapping server capability BSF calculates;
The described pushed information of using first key and the second key subtend UE to push respectively is encrypted, and specifically comprises:
Utilize described internal key Ks_int_NAF and corresponding internal structure key thereof that described pushed information is encrypted respectively; Perhaps, utilize described external key Ks_ext_NAF and corresponding external structure key thereof that described pushed information is encrypted respectively.
3. method according to claim 2 is characterized in that, the described corresponding internal structure key of described internal key Ks_int_NAF and the corresponding external structure key of described external key Ks_ext_NAF of obtaining specifically comprises:
Obtain the described internal structure key that described BSF utilizes described external key Ks_ext_NAF and specific character string to generate;
Obtain the described external structure key that described BSF utilizes described internal key Ks_int_NAF and specific character string to generate;
Wherein, described specific character string is pushed to described UE after can preestablishing or generating at random.
4. method according to claim 1 is characterized in that, before the described pushed information of using first key and the second key subtend user equipment (UE) to push respectively is encrypted, also comprises:
Obtain internal key Ks_int_NAF, external key Ks_ext_NAF that bootstrapping server capability BSF calculates;
The described pushed information of using first key and the second key subtend user equipment (UE) to push respectively is encrypted, and specifically comprises:
Utilize described internal key and described external key Ks_ext_NAF that described pushed information is encrypted respectively.
5. the decryption method among the GBA Push is characterized in that this method comprises:
The pushed information of two encryptions that reception server pushes and corresponding Key Tpe information thereof, wherein, the pushed information of described two encryptions is encrypted generation by the pushed information that described server uses first key and the second key subtend UE to push respectively;
If the 3rd key in the discrete cell of the UE at client place and described Key Tpe information do not match, and then generate the 4th key according to described the 3rd key, and utilize described the 4th key that the pushed information with corresponding secret key type information is decrypted;
Wherein, described first key and second key are internal key Ks_int_NAF and external key Ks_ext_NAF, perhaps being that internal key Ks_int_NAF and BSF utilize described external key Ks_ext_NAF and specific character string to generate the internal structure key, perhaps is that external key Ks_ext_NAF and BSF utilize described internal key Ks_int_NAF and specific character string to generate the external structure key;
Described the 3rd key and the 4th key are external key Ks_ext_NAF and the internal structure key that generates according to external key Ks_ext_NAF and specific character string, perhaps be internal key Ks_int_NAF and according to the external structure key of internal key Ks_int_NAF and specific character string generation.
6. method according to claim 5 is characterized in that,
Described discrete cell is the mobile device ME of described UE, described the 3rd key is external key Ks_ext_NAF, describedly generate the 4th key according to described the 3rd key and specifically comprise: generate the internal structure key according to described external key Ks_ext_NAF and specific character string, wherein said internal structure key is described the 4th key;
Perhaps, described discrete cell is the Universal Integrated Circuit Card UICC of described UE, described the 3rd key is internal key Ks_int_NAF, describedly generate the 4th key according to described the 3rd key and specifically comprise: generate the external structure key according to described internal key Ks_int_NAF and specific character string, wherein said external structure key is described the 4th key;
Wherein, described specific character string preestablishes or receives the described specific character string of described server push.
7. the decryption method among the GBA Push is characterized in that this method comprises:
The pushed information of two encryptions that reception server pushes and corresponding Key Tpe information thereof, wherein, the pushed information of described two encryptions is encrypted generation by the pushed information that described server uses internal key Ks_int_NAF and external key Ks_ext_NAF subtend UE to push respectively;
If the discrete cell of the UE at client place is the ME of described UE, then utilize the external key Ks_ext_NAF of described ME storage that the pushed information with corresponding secret key type information is decrypted;
If the discrete cell of the UE at client place is the UICC of described UE, then utilize the internal key Ks_int_NAF of described UICC storage that the pushed information with corresponding secret key type information is decrypted.
8. server is characterized in that this server comprises:
Ciphering unit, the pushed information that is used for using first key and the second key subtend UE to push respectively is encrypted, and generates the pushed information of two encryptions;
Transmitting element is used for described two pushed information and employed Key Tpe information of each pushed information through encryption are sent to UE;
Wherein, described first key and second key are internal key Ks_int_NAF and external key Ks_ext_NAF, perhaps being that internal key Ks_int_NAF and BSF utilize described external key Ks_ext_NAF and specific character string to generate the internal structure key, perhaps is that external key Ks_ext_NAF and BSF utilize described internal key Ks_int_NAF and specific character string to generate the external structure key;
If the 3rd key in the discrete cell of the UE at client place and described Key Tpe information do not match, and then generate the 4th key according to described the 3rd key, and utilize described the 4th key that the pushed information with corresponding secret key type information is decrypted;
Described the 3rd key and the 4th key are external key Ks_ext_NAF and the internal structure key that generates according to external key Ks_ext_NAF and specific character string, perhaps be internal key Ks_int_NAF and according to the external structure key of internal key Ks_int_NAF and specific character string generation.
9. UE is characterized in that this UE comprises:
Receiving element is used for pushed information and the corresponding Key Tpe information of two encryptions that reception server sends;
First discrete cell, be used for working as client under the situation of described first discrete cell, if the 3rd key of this first discrete cell and described Key Tpe information do not match, then generate the 4th key according to the 3rd key, and utilize described the 4th key that the pushed information with corresponding secret key type information is decrypted;
Wherein, first key and second key are internal key Ks_int_NAF and external key Ks_ext_NAF, perhaps being that internal key Ks_int_NAF and BSF utilize described external key Ks_ext_NAF and specific character string to generate the internal structure key, perhaps is that external key Ks_ext_NAF and BSF utilize described internal key Ks_int_NAF and specific character string to generate the external structure key;
Described the 3rd key and the 4th key are external key Ks_ext_NAF and the internal structure key that generates according to external key Ks_ext_NAF and specific character string, perhaps be internal key Ks_int_NAF and according to the external structure key of internal key Ks_int_NAF and specific character string generation.
CN200910137951.2A 2009-04-28 2009-04-28 Secret key notification and decryption method and device in GBA (Generic Bootstrapping Architecture) Push Expired - Fee Related CN101877834B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910137951.2A CN101877834B (en) 2009-04-28 2009-04-28 Secret key notification and decryption method and device in GBA (Generic Bootstrapping Architecture) Push

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910137951.2A CN101877834B (en) 2009-04-28 2009-04-28 Secret key notification and decryption method and device in GBA (Generic Bootstrapping Architecture) Push

Publications (2)

Publication Number Publication Date
CN101877834A CN101877834A (en) 2010-11-03
CN101877834B true CN101877834B (en) 2013-10-02

Family

ID=43020278

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910137951.2A Expired - Fee Related CN101877834B (en) 2009-04-28 2009-04-28 Secret key notification and decryption method and device in GBA (Generic Bootstrapping Architecture) Push

Country Status (1)

Country Link
CN (1) CN101877834B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487501B (en) 2015-08-27 2020-12-08 华为技术有限公司 Key distribution and reception method, key management center, first network element and second network element

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1881875A (en) * 2005-06-15 2006-12-20 华为技术有限公司 Method for realizing safety communication between user equipment and network service application entity
CN1929370A (en) * 2005-09-05 2007-03-14 华为技术有限公司 Method and system for confirming identification using key when user accessing identification proxy
CN101102186A (en) * 2006-07-04 2008-01-09 华为技术有限公司 Method for implementing general authentication framework service push

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1881875A (en) * 2005-06-15 2006-12-20 华为技术有限公司 Method for realizing safety communication between user equipment and network service application entity
CN1929370A (en) * 2005-09-05 2007-03-14 华为技术有限公司 Method and system for confirming identification using key when user accessing identification proxy
CN101102186A (en) * 2006-07-04 2008-01-09 华为技术有限公司 Method for implementing general authentication framework service push

Also Published As

Publication number Publication date
CN101877834A (en) 2010-11-03

Similar Documents

Publication Publication Date Title
EP2341724B1 (en) System and method for secure transaction of data between wireless communication device and server
CN108574569B (en) Authentication method and authentication device based on quantum key
EP2756699B1 (en) Wireless communication using concurrent re-authentication and connection setup
US8331567B2 (en) Methods and apparatuses for generating dynamic pairwise master keys using an image
EP2037621B1 (en) Method and device for deriving local interface key
KR100520116B1 (en) A method for discributing the key to mutual nodes to code a key on mobile ad-hoc network and network device using thereof
US8842833B2 (en) System and method for secure transaction of data between wireless communication device and server
CN107483192B (en) Data transmission method and device based on quantum communication
US20100135491A1 (en) Authentication method
US7983656B2 (en) Method and apparatus for end-to-end mobile user security
CN112640510A (en) Method and apparatus for establishing a wireless secure link while maintaining privacy from tracking
CN104244245A (en) Wireless access authentication method, wireless router device and wireless terminal
US20220094545A1 (en) Low power encryption in motion
CN105208028A (en) Data transmission method and related device and equipment
JP5079479B2 (en) ID-based encryption system and method
CN111277605B (en) Data sharing method and device, computer equipment and storage medium
CN103856938A (en) Encryption and decryption method, system and device
CN107493281A (en) encryption communication method and device
CN117041956A (en) Communication authentication method, device, computer equipment and storage medium
CN101877834B (en) Secret key notification and decryption method and device in GBA (Generic Bootstrapping Architecture) Push
KR101329789B1 (en) Encryption Method of Database of Mobile Communication Device
CN102487505B (en) Access authentication method of sensor node, apparatus thereof and system thereof
JP2014017763A (en) Encryption update system, encryption update request device, encryption update device, decryption device, encryption update method, and computer program
KR101512891B1 (en) Server for providing contents and operating method of the server, terminal thereof
US11750580B2 (en) Systems and methods for encryption in network communication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20131002